A policy is a formal document that outlines your organization's operational commitments and corresponding governance structures. Similar to a nation's constitution, your organization's policies lay out a framework within which decisions are made and establish standards to which your organization can be reliably held.

Consider this excerpt from Thoropass's template Access Control Policy:

This language, though formal, explicitly lays out a commitment. It says, in short, that my organization will restrict employee access to tools based on the employee's role. Further, it mentions specific types of tools to which this policy must apply.

Following your organization's policies is the foundation of any robust compliance program.

Policies are written to be read, internalized, and followed. Publishing a policy and not following it is a compliance risk and can threaten your organization's good standing with customers, partners, investors, and auditors.

For example, if your published privacy policy explicitly states that you do not share customer information with any third-parties, but you routinely share customer information with a third-party for marketing purposes, your organization may be subject to lawsuits from customers, enforcement actions from regulatory agencies, or have your audit reports contain violations.

Start by visiting Thoropass's Policy page using the global navigation or by searching for it in Launchpad (opened with CMD+K or CTRL+K). If you're visiting the page for the first time, you'll see all of Thoropass's template policies. Over time, you will edit and customize these policies to suit your organization's specific needs. Once those policies are published, they will be formal commitments that you must follow in order to operate in a compliant fashion.